Follow me on Twitter: https://twitter.com/MattBerry01 I'll be publishing on my blog from now on. I usually send my reports through a newsletter first. Join the mailing list at http://www.3footcrowbar.com/ Interests: -- reading up on bounded rationality, behaviorism, and philosophy -- writing... More

After spending two weeks on this, I have concluded that Qihoo did indeed counterfeit Microsoft's security patch. Below you can see some of the evidence during the "gathering process."

If you are new to this page, please skip down to the August 1 entry to begin.

08/08/2012

I got ahold of Windows-KB360018-v4-x86.exe and re-analyzed it at VirusTotal.com. Same SHA256. The filename has now updated to Windows-KB360018-v4-x86.exe. The filename -- WindowsXP-KB999999-x86.exe -- shows up in "more details" as the original filename.

08/07/2012

Thanks to Richard X Roe for pointing me in this direction and giving me an education on SHA256. (Any mistakes here are mine. Please correct me in the comment section if any of my information/assumptions are off.)

As I understand it, each executable program will/can have a unique encrypted ID generated. For Qihoo and its recent scandal, we are referring to the SHA256 ID (Secure Hash Algorithm 256 bits).

The SHA256 ID for the Microsoft Update which is said to be FAKE is the same on both systemexplorer and virustotal. However the names were different.

(I will shorten the names for convenient reading.) What on systemexplorer.net is kb360 was kb999 on virustotal. The date is 2012.

What on system explorer is kb999 does not have the same SHA256 ID as the original kb999 on virus total. The date is 2011.

Before I updated the filename by re-analyzing it, this is how the two appeared in Virustotal.com:

As if the issue were not confusing enough, articles today emerge accusing Kingsoft of virtually the same abuse, and using almost identical language as found in the charges leveled against Qihoo. Click here. [updated 08/04/2012]

[Back to Qihoo 360]

8/02/2012

Here's a screenshot widely published in China, to which I have added some detail:

(click to enlarge)

The red circle and red text were not mine. I added the call-outs framed in orange and using orange arrows.

You can see the translation in the Google translator at the top or click here for a "live" translation.

You can also see in the lower call-out that "systemexplorer.net" assigns the patch to Qihoo 360 and not to Microsoft. Click Here.

I have been unable to confirm a response from Microsoft, although several blogs have reported that there has been response: IE, that its not Microsoft's patch. See below.

[See end of blog for claim that Qihoo had a partnership with Microsoft to update the IE browser.]

"360 counterfeit Microsoft released a Patch With the latest progress,Microsoft official responded that "(KB360018) is certainly not Microsoft's products" incident in an interview. For how Microsoft will deal with this event, Microsoft officials without further response. Microsoft said that the relevant treatment temporarily can not be revealed to the media."

"Up to now, Microsoft's official response, 360 did not further respond, but the events of the "patch" incident further expansion of the trend, the outside world has shown great interest in how Microsoft will deal with this event."

News appeared today accusing Qihoo 360 of faking a Microsoft patch in order to fool users into installing its own browser, locking them into Qihoo's default home page, leaving them unable to install it, and turning rival browsers into "Zombies."

First, let me take the devil's advocate.

I looked but could not find a mention of this by Microsoft, and one should expect one to follow at some point if this story is true.

I found a blog which translated through Google which appeared to suggest the same: he found no mention (at this time) by Microsoft.

I myself had installed the Qihoo 360 Safe browser this last weekend and had no trouble with the uninstall procedure. I did not install the patch however (as far as I know). (I did however install the antivirus, but after I had already installed the browser.) Also the problem involved IE6, and I was unable to get Microsoft to uninstall below IE7. So I was unable to give it a full test.

See it in the Google Translator, here; in the original Chinese, here. See all articles of the same title, here.

Title: Qihoo 360 falsely reports loopholes in the Windows system to force the installation of their 360 browser.

"Recently, Qihoo 360 has once again been exposed for malicious and deceptive fraud against users, and this has sparked widespread backlash in the blogging scene. There have been users who have posted screenshots online which show the 360 Security Defender wrongly detecting holes in the Windows system and thereby recommending users to install an upgrade patch. After the upgrading is completed, only then do they realise the "patch" is the 360 browser."

The "patch" disables rival browsers:

" Previously installed browsers are rendered inactive instantly and the default browser is locked as the 360 browser, with the homepage fixed as hao.360.cn".

[For a larger sample of screenshots -- apparently in sequential order -- here]

A bit more technical information was provided:

"According to evidence from the users, the 360 browser upon downloading as a patch changes its name to "Windows-KB360018-v7-x86.exe", which is markedly similar to actual Microsoft patches in name. "

And then the past of the Qihoo CEO was resurrected:

"Previously, incidents where users were forced to install software which subsequently modified the registry such that it cannot be deleted were fairly common. A classic example would be Qihoo 360's predecessor, 3721, for which Mr Zhou Hong Yi has thereby been called the 'Father of rogue software'."

Huan Ren was said to Claim that Microsoft and Qihoo have a "partnership" with the Browser (emphasis mine):

"Huan (Qihoo 360): The situation was much worse 2 years ago. Since then, IE6 market share has dropped from 60% to 20% thanks to a collective effort from all these browser vendors, but in particular Qihoo 360 has a partnership with Microsoft that upgrades the default browser on Windows XP from IE6 to IE8. In addition, even for those users who choose not to upgrade browsers, the Qihoo 360 browser brings an IE8 rendering engine to them. That turns out to be a big factor in phasing out IE6."

Qihoo 360 Chairman Zhou domestic IE6 browser still occupies such a large market share, the relationship is not piracy. IE6 user's habits difficult to change, many ordinary users in this respect there is a lot of inert, they adapt to the IE6 style, do not want to and back to the top of the other browser. "Microsoft has stopped on IE6 technology support, and calls for global users to abandon IE6, using the new version of the browser. Unchanged to maintain the user's habits, to provide users with IE6 style browser, but using the updated kernel, you can better solve this problem, Zhou said.

Allegedly, launched last month 360 security browser 5.0 has been adopted IE8.0 kernel.Interface, maintained consistent with the old version of IE6 browser, and user migration to the new version, no need to change the browsing habits. Technology research, this browser can not uninstall IE6 browser under the protection of user security. Did not uninstall the old version of the browser, users within the network does not support the new version of the browser can also use the older version of IE6 for office.

Eliminate IE6 browser does not cooperate with their peers

Internet security issues will always need to be addressed. 360 initiative 'to eliminate IE6' action to the original intention is to protect the user's security. Destroy the old version of the browser 360 one alone can not be done. 360 need everyone to work together to promote a new browser the update process. "Zhou said on Sohu IT, despite the eradication of IE6 this initiative requires the support of various industries, but 360 will not do browser counterparts to promote this action. Zhou's explanation is that the browser 360 in the domestic market share is the largest browser except IE series, if the 360 ​​can not move, other browsers will not do.

(Please feel free to correct me in the comment section.) From how I understand it, each executable program will have a unique encrypted code named for it. One such encrypted code name is SHA256 (Security Hash Algorithm 256 bits).

The SHA256 for the file accused of being a fake Microsoft patch has one name on systemexplorer.net and another name on VirusTotal. For convenience, I will shorten the names to KB360 and KB999. It is listed on VirusTotal in June 2012.

The filename KB999 on Systemexplorer has a completely different name on VirusTotal. It was listed in VirusTotal in January 2011.

This means that the filename on VirusTotal is not the same as the filename in the recent scandal (although the SHA256 ID is the same).

Instablogs are blogs which are instantly set up and networked within the Seeking Alpha
community. Instablog posts are not selected, edited or screened by Seeking Alpha editors,
in contrast to contributors' articles.

All Microsoft updates intended for the general public have a website describing them, if there was an update called KB360018 its describition would be at http://bit.ly/RhX8M5 (fun fact: recent microsoft patches have a digit more)

That Microsoft wants IE6 out of its way is no secret. Also that China is the last red country on Microsoft's IE6 countdown site: http://bit.ly/MbTVM8So it's very likely to assume that Microsoft did indeed ask all popular browser vendors in China utilising the Trident engine to update to the IE6 version, but one thing is certain, they didn't ask them to be impersonated by them.

Author’s reply »
CEO of Kingsoft appears to have said pretty much the same. He was responding to what I'm calling "cloned smears" (See http://bit.ly/NcxAfh).

Note: "Jinshan" (phonetic) and "Gold Mountain" (literal) are how Google sometimes deals with the Chinese characters (金山) -- which in the English speaking world is known as "Kingsoft". The Chinese statement uses the 金山 characters consistently, while in the Google translator it appears in three different forms -- so I have inserted [Kingsoft] for more accurate and easier reading. See link for the original.

"The face of this "[Kingsoft] defender patch" incident, Fu Sheng, CEO of Kingsoft Internet microblogging statement said: "In fact, Microsoft does have an IE6 upgrade IE8 plans, including 360 invited, [Kingsoft], including the number of partners to participate. only [Kingsoft] honestly help Microsoft to upgrade to ie6 ie8, 360 but by the opportunity to trick users to install the browser 360. 360 things brought to light after the crazy dirty water splashed to [Kingsoft]. " http://bit.ly/QDevI6

Also note these posts http://bit.ly/OXfvDL and http://bit.ly/OXfvU0 from January 2011 in which Qihoo employees explain that this is a valid Qihoo patch (although not necessarily a Microsoft patch). As far as I know, Microsoft has no rights to the names "windows-kb360018-v4-x... or "WindowsXP-KB999999-x8... so Qihoo should be able to use them to deploy its own "patches."

Looks like Qihoo has been doing this for quite some time (at least for 19 months), and it is unclear why it has become such an issue recently. Of course, nobody in their right mind will ever use Qihoo browser and antivirus on a desktop, given that IE, Chrome, and Microsoft Security Essentials are all free and pretty decent products.

Instablogs are Seeking Alpha's free blogging platform customized for finance, with instant set up and exposure to millions of readers interested in the financial markets. Publish your own instablog in minutes.